Link: Scribd fullscreen link from suspicious sender

calendar Aug 5, 2025 · Attack surface reduction  ·
Share on: linkedin copy

Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history.

Sublime rule (View on GitHub)

 1name: "Link: Scribd fullscreen link from suspicious sender"
 2description: "Detects messages containing Scribd links with the fullscreen parameter from senders with no prior benign communication or recent history."
 3type: "rule"
 4severity: "medium"
 5source: |
 6  type.inbound
 7  and length(body.links) < 10
 8  and any(body.links,
 9          (
10            .href_url.domain.root_domain == "scribd.com"
11            or strings.icontains(.href_url.query_params, 'scribd.com')
12            or strings.icontains(.href_url.query_params, 'scribd%2ecom')
13            or strings.icontains(.href_url.query_params, 'scribd%252ecom')
14          )
15          and strings.icontains(.href_url.fragment, 'fullscreen')
16  )
17  and not profile.by_sender_email().any_messages_benign  
18tags:
19 - "Attack surface reduction"
20attack_types:
21  - "Credential Phishing"
22tactics_and_techniques:
23  - "Free file host"
24  - "Social engineering"
25  - "Evasion"
26detection_methods:
27  - "URL analysis"
28  - "Sender analysis"
29id: "9e9bc972-d4e1-5bd0-96bc-b8b10e74b02a"

Related rules

to-top